Security Chief Hacks the Lotto

Over the years, I've written about many cyber-crimes in this blog and there's always one recurring theme that always occurs to me.  It is that although it's incredibly easy nowadays to profit from all sorts of cyber based crimes, it's still very difficult to actually get away with it.  In fact it's the same with any sort of illicit cyber activity, it's not hard to bring down even a large web site with a DDOS attack, to hack  and steal a few files or even just empty someone's paypal account but not getting caught is much more challenging.

The criminal opportunities are endless, if you work in IT you'll likely see them all around you.  Of course most of us are basically honest but we also recognise that it's very easy to get caught doing something we shouldn't and very hard to stay anonymous.   The fact is that everything we do leaves some sort of trail back to us, systems, computers and applications log all sorts of information every time they are used it's usually quite simplistic to trace a digital transaction back to the computer it originated from.

Yet it still doesn't stop people and indeed it didn't stop 52 year old Eddie Tipton either who has hit the BBC news this week. Eddie was the head of IT security at the Multi-State Lottery which runs loads of lotteries across the US.   His chief role was to protect the lottery computers which were used to draw the winning numbers.  However he didn't do that and actually installed a root kit on those computers allowing him to calculate the winning numbers of the next Iowa Hot Lotto lottery.

This is all quite easy for a Head of IT Security to achieve, but you can see the problem though, can't you? How does the Head of IT security claim the lottery prize, after he's stolen the numbers?  Well first of all he's got to buy the winning ticket, surrounded by CCTV cameras.

This is the video evidence that was circulated by the crime investigation authorities trying to identify the person who bought the suspicious ticket. This brought Tipton's name into the investigation as a co-worker recognized him from the video. He then defended himself by saying he was in Texas at the time of this purchase, although his cell phone records told a different story. The reality is that as soon as suspicion was on Tipton he was doomed. He was only one of five people with security clearance to the lottery computer, CCTV picked him up entering the room before the draw was made, the cameras were modified to record selectively.

I'm certain digital forensics from laptops, the servers and other computers all would incriminate him too even if he was careful and used proxies. Of course he also had the rather daunting prospect of trying to actually claim the prize without implicating himself, something he attempted through a network of lawyers. This was something he also never managed to achieve, and was arrested for Fraud shortly after.

He now waits for sentencing in a Iowa jail and could face up to ten years in jail. Although it demonstrates how difficult it is to hide your tracks in these situation, it also highlights how easy it is to attempt these crimes. The dangers are usually from insiders or with specific knowledge of a system. It is likely that no-one would have ever noticed that the lottery numbers were being manipulated though if he hadn't tried to claim the jackpot!